[Freeipa-users] CentOS6.3 + Fedora17 + PackageKit / PolicyKit "problem"

Antti Peltonen antti.peltonen at iki.fi
Mon Oct 22 08:54:07 UTC 2012 

Hi all,

To answer my own question:

Policykit fetches its admin identities from a policy file (atleast in
Fedora 17) from
file: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf

Contents of original file:

------------------------------------------->o-----------------------------------
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-group:wheel
------------------------------------------->o-----------------------------------

This file has warning labels that the file should not be edited since it
will be overwritten by package updates. So the recommend process is to copy
that file to another name like 90-custom.conf and modify its contents as
follows:

------------------------------------------->o-----------------------------------
[Configuration]
AdminIdentities=unix-group:wheel;unix-group:fullsudo
------------------------------------------->o-----------------------------------

where unix group "fullsudo" is an POSIX group provisioned in FreeIPA domain
and users of that group have full sudo rights through sudo rules.

-Antti-

p.s. Adding my freeipa user in local wheel group worked after logon after
all too. I wonder if I did not test enough before complaining about it but
I was _sure_ that I did logout and back in before testing but it would seem
that I did not.

On 16 October 2012 09:53, Antti Peltonen <antti.peltonen at iki.fi> wrote:

> Hi all,
>
> Just playing around with my setup that consists of two FreeIPA domain
> controllers on CentOS6.3 so the version of FreeIPA in use there is 2.2.0
>
> So now after setting up my test laptop with Fedora 17 I proceeded to do an
> client installation and it seems freeipa-client version on F17 is also
> 2.2.0 but such things as sudo and sssd are much more recent than on CentOS.
> This caused few grey hairs until I got the sudo configuration to work by
> manipulating sssd.conf.
>
> Now that my user provisioned in FreeIPA domain can logon to my laptop, use
> sudo etc to install software I noticed a one little issue with policykit +
> packagekit combination. When through X I try to install an RPM package or
> do anything that requires admin rights it keeps asking for the root users
> password and not my sudo enabled FreeIPA users.
>
> If I have understood correctly packagekit advertises its request for admin
> rights through dbus to policykit which reads its policy files for matching
> description about the request. In this case the file seems to
> be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
>
> In this policy file there is a lot of stuff which at this point makes no
> sense to me at all except that I guess that the
> lines: <allow_active>auth_admin</allow_active> describe that policykit
> should require user to enter an administrative level users password. Now on
> basic F17 installation where after first boot you create your first normal
> user account and give it an password there is an checkbox for
> "Administrator" or something similar which seems to add this user to be
> created in "wheel" and "adm" posix groups. When policykit requires an
> administrative users password it asks for this local users password if it
> is member of those groups (I guess) and if not it asks for the root users
> password.
>
> However when I add my FreeIPA user to the adm and wheel groups (silly
> since my sudo rules in FreeIPA give me already a full sudo rights)
> policykit does not seem to make a sense out of this situation and keep
> asking for the root users password.
>
> Now after all this bad english and a load of factual errors the actual
> question is: What needs to be configured and how to make FreeIPA
> provisioned user to be "local administrator" in policykits mind? If this is
> at all possible in current stage of development...
>
> p.s. I use an PackageKit here as an example target for the PolicyKit but I
> guess that anything to do with process rights elevation through PolicyKit
> is affected - not just the PackageKit application.
>
> --
> Antti Peltonen | Homo sapiens | planet Earth
> email antti.peltonen at iki.fi
> irc BCOW @ IRCNet | Twitter @BrainCOW
>
> "Ars longa, vita previs."
>
>


-- 
Antti Peltonen | Homo sapiens | planet Earth
email antti.peltonen at iki.fi | cellular +358 44 328 5555
irc BCOW @ IRCNet | Twitter @BrainCOW

"Ars longa, vita previs."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121022/cc91a52e/attachment.htm>

More information about the Freeipa-users mailing list